<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/content-security-policy/support/testharness-helper.js"></script>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<body>
<script>
  async_test(t => {
    waitUntilEvent(window, "securitypolicyviolation")
      .then(t.step_func_done(e => {
        assert_equals(e.documentURI, document.location.toString());
        assert_equals(e.referrer, document.referrer);
        assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png");
        assert_equals(e.violatedDirective, "img-src");
        assert_equals(e.effectiveDirective, "img-src");
        assert_equals(e.originalPolicy, "img-src \'none\'");
        assert_equals(e.disposition, "enforce");
        assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js");
        // Per https://html.spec.whatwg.org/#relevant-mutations:
        //     The img or source HTML element insertion steps or HTML element removing steps count the mutation as a relevant mutation.
        // So when the src load is async, line 3 (appendChild, and thus the insertion steps) is what triggers the relevant load, not the src setter.
        // But there's some interesting discussions going on about what the right trigger is, see https://github.com/whatwg/html/issues/10531.
        // So for now, we allow both.
        assert_true(
          (e.lineNumber == 3 && e.columnNumber == 15) ||
            (e.lineNumber == 2 && e.columnNumber == 1),
          `Location should be reasonable, got [${e.lineNumber}, ${e.columnNumber}]`
        );
        assert_equals(e.statusCode, 200);
      }));

    var s = document.createElement("script");
    s.src = "/content-security-policy/support/inject-image.sub.js";
    document.body.appendChild(s);
  }, "Non-redirected cross-origin URLs are not stripped.");
</script>
